SOC 2 Compliance Handbook: The 5 Trust Services Criteria

What are the Trust Services Criteria?

Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process. On a basic level, you can think about the Trust Service Criteria in terms of these concepts:

  • Security – Is the system protected, both physically and logically, against unauthorized access?
  • Availability – Is the system available for operation and use as agreed upon?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
  • Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?

Which Trust Services Criteria Apply to My Organization?

Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on. In a non-privacy SOC 2 engagement, the security category must be included. The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control — Integrated Framework. The common criteria are categorized based on the following:

  • Control environment
  • Communication and information
  • Risk assessment
  • Monitoring activities
  • Control activities
  • Logical and physical access controls
  • System operations
  • Change management
  • Risk mitigation

It’s important to note, though, that your organization isn’t required to address all five of the Trust Services Criteria in our SOC 2 report; however, you should select the categories that are relevant to the services that you provide to your clients. So, aside from security, which apply to your organization: availability, processing integrity, confidentiality, and/or privacy?

Want the full handbook?


Rebuilding Trust After a Data Breach

American Perspective on Data Breaches

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But, what happens after a data breach has occurred? How can your business recover? Let’s take a look at three advertising campaigns that aim to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

When Will You See the Benefit of an Audit?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period?

Get the full report now.

How Can a SOC 2 Bring Value to Your SaaS?

No one wants to work with an at-risk SaaS provider. If someone is looking to use your services, they want to know how secure your SaaS solution actually is. You may think you have a secure SaaS solution, but does an auditor? Does a hacker? Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage.

What is a SOC 2?

What is a SOC 2 and How Can a SOC 2 Bring Value to Your SaaS?A SOC 2 audit is perfect for SaaS and other cloud service organizations that want to reassure their clients that their information is secure, available, and confidential. It’s becoming increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the SaaS providers they work with are developing secure SaaS solutions.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

Typically, a SaaS provider will choose to be evaluated against the security and availability criteria. If a client can’t be assured that you have a realiabe, secure SaaS solution, why would they choose to use you? If a SaaS solution holds sensitive or valuable information, then an organization may choose to be evaluated for confidentiality.

Understanding Secure SaaS Solutions with SOC 2 Compliance

Undergoing a SOC 2 audit demonstrates that your organization is invested in providing a secure SaaS solution. Your reputation, business continuity, competitive advantage, and branding all depend on the quality and security of your systems and can benefit from SOC 2 compliance.

A SaaS provider depends on trust. If a client can’t trust your SaaS solution, why would they choose to use it? If your SaaS solution suffers from a data breach, the negative impact to your reputation would be a ripple effect. Once your SaaS solution has been successfully attacked and customers’ data has been exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, larger, educated prospects won’t want to work with you, and lawsuits and fines will begin to surface. The continuity of your business depends on securing your systems.

On the other hand, if you do pursue SOC 2 compliance and achieve attestation, your organization will have a new branding tool. You can market your product as a reliable, secure SaaS solution. There are so many possible ways to incorporate your compliance into branding methodology. We always recommend that our clients leverage their compliance as marketing material and strive to help find creative ways to do so.

When you partner with an auditing firm that educates you and performs a thorough, quality-driven audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audits looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and looking for a vendor with SOC 2 compliance.

Even with all these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your SaaS solution couldn’t secure their information?
  • What future sales would you lose if your SaaS solution suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

The potential loss of business from a breach far outweighs the cost of compliance. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

SOC 2 Reporting Update: 2017 Trust Services Criteria

SOC 2 Reporting Changes

You may have recently noticed some changes in SOC 2 reporting, like the inclusion of an internal control framework and a change from “Trust Services Principles” to “Trust Services Criteria.” Why the changes? The AICPA’s Assurance Services Executive Committee (ASEC) recently issued a SOC 2 reporting update that includes a new set of 2017 Trust Services Criteria, which will provide integration with the 2013 COSO framework and ways to better address cybersecurity risks.

Name Change – Trust Services Criteria

The most noticeable change from this SOC 2 reporting update is the name change, which revises “Trust Services Principles and Criteria” to “Trust Services Criteria.” Security, availability, processing integrity, confidentiality, and privacy are still the five categories under this revised name, and they are integrated with the 2013 COSO framework. Because the 2013 COSO framework uses “principles” to refer to the factors of internal control, ASEC removed “principles” from the original name to avoid any misunderstandings.

Integration with the 2013 COSO Framework

What else has changed with SOC 2 reporting, other than a name change? SOC 2 reporting now has integration with the 2013 COSO framework. This framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. It makes sense for the Trust Services Criteria to have integration with the 2013 COSO framework because they are both assessing internal controls. The Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system. The 2013 COSO framework assesses internal controls relating to control environment, risk assessment, information and communications, monitoring activities, and existing control activities. Service organizations’ controls must meet the 17 internal control principles that align with COSO’s five components of internal control, along with some new, supplemental criteria. The 17 internal control principles include:

SOC 2 Reporting Infographic: 2017 Trust Services Criteria

These internal control principles don’t map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

Supplemental Criteria

In addition to the 17 internal control principles from the 2013 COSO framework and the Trust Services Criteria, service organizations must meet new, supplemental criteria that address cybersecurity risk. These supplemental criteria include:

  • Logical and Physical Access Controls – How service organizations implement logical and physical access controls to prevent unauthorized access to protect information assets.
  • System Operations – How service organizations manage the operation of their systems to detect, monitor, and mitigate security incidents.
  • Change Management – How service organizations determine the need for changes to infrastructure, data, software, and/or procedures, securely make changes, and prevent unauthorized changes.
  • Risk Mitigation – How service organizations identify, select, and develop risk mitigation activities for risks arising from vendors, business partners, and other disruptions.

Points of Focus

Another new element to the 2017 Trust Services Criteria are points of focus. While integrated into COSO, points of focus are new to SOC 2 reporting and the Trust Services Criteria. Points of focus are just that – details or characteristics to focus on and should be included in the design, implementation, and operation of an internal control. Points of focus will assess whether the 17 internal control principles from the 2013 COSO framework, Trust Services Criteria, and supplemental criteria are implemented and functioning. Points of focus are characteristics that auditors have always generally incorporated into their review, but with this SOC 2 reporting update, points of focus are now defined.

The supplemental criteria for risk mitigation (CC9.1) states, “The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.” What details or characteristics of this internal control should your organization focus on? The points of focus listed include:

  • Considers Mitigation of Risks of Business Disruption – Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity’s objectives during response, mitigation, and recovery efforts.
  • Considers the Use of Insurance to Mitigate Financial Impact Risks – The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.

It’s important to note that an assessment of points of focus is not required; not all points of focus are applicable to every service organization or situation. You can have effective internal controls without addressing every single point of focus.

How Does This Affect Your Organization?

Since the 2017 Trust Services Criteria was released in April 2017, SOC 2 reports have been required to state which set of criteria was used – 2016 Trust Services Principles and Criteria or 2017 Trust Services Criteria. Beginning December 15, 2018, SOC 2 reports must use the 2017 Trust Services Criteria. If your organization pursues SOC 2 Type II attestation, you should begin determining what your next SOC 2 audit period will be and how the integration with the 2013 COSO framework, supplemental criteria, and points of focus will affect your audit.

The AICPA has published a mapping of the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria to help you further understand this SOC 2 reporting update. For more information on Trust Services Criteria or SOC 2 services, contact us today.